Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 20:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1857c1dd7942a15d31b1d9b8eaa72749f296221402aa659bab6a1b48e37f4122.dll
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
1857c1dd7942a15d31b1d9b8eaa72749f296221402aa659bab6a1b48e37f4122.dll
-
Size
500KB
-
MD5
d274670f913543a1596c9ca564938ff0
-
SHA1
67e4bcf0912dea8125833f7aba776fba90d4186e
-
SHA256
1857c1dd7942a15d31b1d9b8eaa72749f296221402aa659bab6a1b48e37f4122
-
SHA512
8a384d715b7afb48be50ffa1cc4ea833417f051702515757b8cd8e945785ef1a5f919b3dc789da84f7ea740ee3127f87c189989959ef82f0f38ba6bf2c8ef58c
-
SSDEEP
12288:Ph8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNoMlYXN:P8F+Pzr/Hfp4MIYwZckMQmblsN
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 2972 rundll32mgr.exe 2956 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2760 rundll32.exe 2760 rundll32.exe 2972 rundll32mgr.exe 2972 rundll32mgr.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2972-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2956-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2956-51-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2956-60-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2956-584-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\micaut.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnoseek_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODTXT.DLL svchost.exe File opened for modification C:\Program Files\Windows Defender\MpAsDesc.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadrh15.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\Timeline_is.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\nio.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\CsiSoap.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javafx-font.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libprojectm_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32r.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe 596 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2956 WaterMark.exe Token: SeDebugPrivilege 596 svchost.exe Token: SeDebugPrivilege 2956 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2760 2748 rundll32.exe 30 PID 2748 wrote to memory of 2760 2748 rundll32.exe 30 PID 2748 wrote to memory of 2760 2748 rundll32.exe 30 PID 2748 wrote to memory of 2760 2748 rundll32.exe 30 PID 2748 wrote to memory of 2760 2748 rundll32.exe 30 PID 2748 wrote to memory of 2760 2748 rundll32.exe 30 PID 2748 wrote to memory of 2760 2748 rundll32.exe 30 PID 2760 wrote to memory of 2972 2760 rundll32.exe 31 PID 2760 wrote to memory of 2972 2760 rundll32.exe 31 PID 2760 wrote to memory of 2972 2760 rundll32.exe 31 PID 2760 wrote to memory of 2972 2760 rundll32.exe 31 PID 2972 wrote to memory of 2956 2972 rundll32mgr.exe 32 PID 2972 wrote to memory of 2956 2972 rundll32mgr.exe 32 PID 2972 wrote to memory of 2956 2972 rundll32mgr.exe 32 PID 2972 wrote to memory of 2956 2972 rundll32mgr.exe 32 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 2940 2956 WaterMark.exe 33 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 2956 wrote to memory of 596 2956 WaterMark.exe 34 PID 596 wrote to memory of 256 596 svchost.exe 1 PID 596 wrote to memory of 256 596 svchost.exe 1 PID 596 wrote to memory of 256 596 svchost.exe 1 PID 596 wrote to memory of 256 596 svchost.exe 1 PID 596 wrote to memory of 256 596 svchost.exe 1 PID 596 wrote to memory of 336 596 svchost.exe 2 PID 596 wrote to memory of 336 596 svchost.exe 2 PID 596 wrote to memory of 336 596 svchost.exe 2 PID 596 wrote to memory of 336 596 svchost.exe 2 PID 596 wrote to memory of 336 596 svchost.exe 2 PID 596 wrote to memory of 384 596 svchost.exe 3 PID 596 wrote to memory of 384 596 svchost.exe 3 PID 596 wrote to memory of 384 596 svchost.exe 3 PID 596 wrote to memory of 384 596 svchost.exe 3 PID 596 wrote to memory of 384 596 svchost.exe 3 PID 596 wrote to memory of 396 596 svchost.exe 4 PID 596 wrote to memory of 396 596 svchost.exe 4 PID 596 wrote to memory of 396 596 svchost.exe 4 PID 596 wrote to memory of 396 596 svchost.exe 4 PID 596 wrote to memory of 396 596 svchost.exe 4 PID 596 wrote to memory of 432 596 svchost.exe 5 PID 596 wrote to memory of 432 596 svchost.exe 5 PID 596 wrote to memory of 432 596 svchost.exe 5 PID 596 wrote to memory of 432 596 svchost.exe 5 PID 596 wrote to memory of 432 596 svchost.exe 5 PID 596 wrote to memory of 476 596 svchost.exe 6 PID 596 wrote to memory of 476 596 svchost.exe 6 PID 596 wrote to memory of 476 596 svchost.exe 6 PID 596 wrote to memory of 476 596 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:612
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1360
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1488
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:692
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:772
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:832
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1096
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:876
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2120
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:296
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1080
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1088
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1176
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1152
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1692
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:380
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1160
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1857c1dd7942a15d31b1d9b8eaa72749f296221402aa659bab6a1b48e37f4122.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1857c1dd7942a15d31b1d9b8eaa72749f296221402aa659bab6a1b48e37f4122.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize144KB
MD539bda2115ded9e699447ec5189533019
SHA10a9977493c43f53cda51b44ec13e34d4b8a64f1d
SHA256c73f4e5a0f264ed44e97a8cb5af94265c97836d9b7e428add6503c8b00cf99bb
SHA512ac7c2c008eb029df56df07ae354fdca67f79997d0d4cf9055b57d2adca668a9fcb3a6be177f41333bca9930c31d71261cdc63afc4bc767ecbd2b321c971d38ec
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize140KB
MD56480c330368f868a30df5456b1d222f3
SHA155e0fa214f577c798e69b27b0083d6c57032935a
SHA256fcd5a960a92daf235118f487d8e2726202dd3a46fb096c793c86781cba86fb21
SHA51234d548f4aa92f8a3099658d32fbb4725e157993e7c6ec718db68bbe98948083bc26db3c36e2ba185abf40489b6ba829a1d84b7af4651d6efb9377329b4b62714
-
Filesize
65KB
MD5a9ea94ee4a3bb43d4057823b2072dc54
SHA194ade3c34ec08613daba8a1240586c24f8169794
SHA2567edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789
SHA5120ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5